CVE-2021-30638

Опубликовано: 27 апр. 2021

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.

Ссылки

http://www.openwall.com/lists/oss-security/2021/04/27/3
Mailing List
Third Party Advisory
https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E
Mailing List
Vendor Advisory
https://security.netapp.com/advisory/ntap-20210528-0004/
Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-491/
Third Party Advisory
VDB Entry
http://www.openwall.com/lists/oss-security/2021/04/27/3
Mailing List
Third Party Advisory
https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E
Mailing List
Vendor Advisory
https://security.netapp.com/advisory/ntap-20210528-0004/
Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-491/
Third Party Advisory
VDB Entry

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*

Версия от 5.4.0 (включая) до 5.6.4 (исключая)

cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*

Версия от 5.7.0 (включая) до 5.7.2 (исключая)

EPSS

Процентиль: 90%

0.05311

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-200

CWE-863

Связанные уязвимости

GHSA-ghm8-mmx7-xvg2